We will be posting some quick malware updates on our blog from now on. The latest one that is affecting quite a few sites are malicious javascripts being injected directly into the wp-posts table on WordPress sites. Those are the domains being used:

http://aeaaea.com/ou

http://secree.com/re

http://uoauer.com/si

http://oeooea.com/ve

http://secowo.com/wo

Those were used in the first batch of attacks that happened a few weeks (months) ago:

A large portion of the sites Sucuri has been fixing in recent weeks are stemming from infections caused by the infamous Pharma Hack. We posted a detailed document explaining how to fix it and clean the attack:

If you have been following our blog long, you probably heard about quite a few large scale attacks affecting many hosting companies: GoDaddy, Bluehost, Dreamhost, etc, etc.

The new one that started to spread today uses a javascript file pointing to http://vancouvererrorsonfile.com/js2.php. When called, it will load www4.meowmeow4.co.cc and then offer the famous “fake AV” virus to the end user of a site. That’s how it looks like in a site:

Recently we started to see a lot of WordPress sites hacked with malware hidden inside the wp_options -> siteurlpath table. The symptoms are very similar to the pharma hack (lots of SPAM hidden in the site), but in this case the SPAM is displayed to all users, not only search engines.